Eight ways to protect against wireless security threats

As computers shrink in size, more workers are leaving their offices and desktop machines behind and heading out the door. For some, toting a laptop allows more face time with customers, significantly adding to the employee's productivity. Others gain the flexibility that keeps careers on track while ensuring that personal obligations are under control. And another segment — those that must oversee complex manufacturing environments — can be close to the action, but still have instant access to communication and information resources.

Laptop computers initiated this shift in working style, and personal digital assistants (PDAs) have increased it exponentially. Gartner Group Inc., the Stamford, Conn.-based industry analyst firm, predicts that by the end of 2002, 60% of office workers will carry at least three mobile devices.

Mobilizing the enterprise, however, carries a price tag. Organizations are confronting a new set of problems brought about by the size of these mobile devices, the type of information they carry and the communication resources they require.

As was true when the use of PCs and laptops exploded in the corporate world, hand-held computing devices need to be managed. And, because no network is ever completely safe — even the FBI has had to deal with infiltration from outside threats — companies must actively control how data is maintained. With a large number of small computing assets relying on wireless networks, whether public or private, security must be the number one concern that companies address when deploying them.

However, even with this staggering reality facing corporate IT departments, many ignore the problem because security is a complex issue that's confusing and hard to measure. Corporate initiatives that deploy mobile and wireless devices must ensure that an enterprise's operations and data are not vulnerable to outside threats. Eight significant problems must be addressed to ensure that the benefits of a wireless, mobile solution significantly outweigh the risks.

The infrastructure doesn't protect the data

Most organizations maintain critical business information in many locations while deploying large numbers of wireless devices that can access it. Because of bandwidth, availability and cost considerations, mobile workers rely on public networks when working away from the office. Whenever any type of data travels over the public infrastructure, it is susceptible to theft, incorrect routing and loss. Network complexity and the large numbers of people with access to it result in system vulnerabilities.

“As computers shrink in size, more workers are leaving their offices and desktop machines behind and heading out the door.”

– Chris Foley

In the days of the Pony Express, when the payroll was stolen en route, it was usually for monetary gain. Today, wreaking havoc on a corporation by stealing or corrupting data is considered entertainment by many. In a masquerade attack, someone illegitimately poses as an authentic system user, using that user's password, which can be discovered by any of a number of methods. Companies clearly need a strong authentication mechanism to prevent an attacker from successfully assuming another's identity. These mechanisms must be extended to handheld and wireless devices, or the corporate data they contain will not be protected properly while being communicated over the public infrastructure.

Applications don't protect the data

Companies cannot rely solely on the security provided within an application (most of the time there is none). When updating applications or data, a management tool that incorporates security standards, such as Secure Socket Layer (SSL), should be a typical component of the support infrastructure. Additionally, the tool should be designed specifically for low bandwidth, sometimes-disconnected environments.

Data loss means lost work

Backup, backup, backup. Whether data no longer exists because a device was lost or stolen, or whether that information was erased maliciously, the company suffers. Without the appropriate backup process in place — which includes backing up information to a server, not just a companion PC — the productivity gains organizations realize from expanding the mobile enterprise can be erased quickly.

Companies cannot depend on an end-user, who is focused on a personal mission, to consistently perform backups. In the past, when the process involved capturing information on paper first and then entering it into a computer, the original papers provided a layer of security against complete information loss in the event of computer failure. When information is not under central IT control, work must be redone completely when the data is lost, costing the organization time, resources and customer satisfaction.

Viruses are lurking

For years, IT departments have been deploying management software over their local area networks that includes virus protection. These tools constantly monitor for, and protect against, known viruses. However, the virus protection is designed to run in a constantly connected environment that has a large bandwidth consistently available. To protect mobile computing devices, organizations must provide virus protection through a management tool that can deliver and update virus protection files.

PDA security is in its infancy

Default encryption that networked PDAs use may be vulnerable to operating system and spoof attacks because it often uses simple keys that hackers know well. To reduce these risks, companies must specify not only which brands of PDAs will be supported, but also which operating system versions should be used. Most operating system vendors gradually fix the security holes in their platforms, releasing new versions over time. Meanwhile, companies need a management tool that detects attributes, such as the operating system, and performs criteria checking before allowing the PDA to connect to the network.

Eavesdroppers have easy access

Many companies deploy wireless LANs based on the 802.11 standards. As IT departments complete the risk/benefit analysis of implementing these wireless networks, they discover that users in certain areas of the company are deploying unsanctioned networks that leave the information infrastructure more vulnerable to "drive-by hacking." Because wireless LANs use radio frequency signals, they are vulnerable to eavesdropping by anyone with a PC and a wireless network interface card. By pretending to be a valid user, these attackers subtract data from and add data to the system easily — invalid data appears to be valid corporate data. Many 802.11 WLAN implementations leave their systems open to hacking because they are not enabling the WEP encryption or MAC address-based restrictions available to them. Even with these safeguards implemented, 802.11 networks are still vulnerable to hacking.

Devices can be easily lost or stolen

Business people are always on the move and constantly preoccupied with pressing business issues. Last year, more than 250,000 cell phones and PDAs were left in America's airports. In addition, because of their small form factor, PDAs, and even laptops, can be concealed easily, making them vulnerable to theft. Companies need a management solution that can "kill" information on a device as soon as it is reported missing. This is especially effective for wireless devices, such as interactive pagers that are always connected to a network.

Unauthorized use is possible

By default, most PDAs power up with none of the security measures activated. Security settings for passwords and hidden files at power up are, for the most part, optional; the user can turn them off. Companies need to have policies in place that require using passwords or use management software that reactivates the password feature during the next connection when a user "inadvertently" disables it. Another activity that could result in corporate data being available to outsiders is sending damaged or broken PDAs to retail service centers. These devices should be stripped of data before servicing or should be repaired in-house.

One thing is clear. Companies that seek to increase productivity by deploying mobile devices in wireless operating environments must address security issues first. Finding the holes the communications network creates, the applications these devices support and the device itself — that's the hard part. Management tools that provide comprehensive features and functionality need to be implemented to address these issues and ensure mobile deployment success.